Kevin Brennan: The hon. Gentleman is right to probe me on that. The truth of the matter is that there is a convenient clause to which we could add our amendments, which starts things two months after Royal Assent. As I said, amendment 94 is a probing amendment and I am sure the Minister will tell us all the reasons why it is technically defective. I will not push it to a vote so I am prepared to hear that, but we want to use it as a method of finding out the Government’s position.
Section 73 was originally introduced to encourage the roll-out of cable and to help a fledgling platform compete against terrestrial television by ensuring that cable platforms had access to public service broadcasting content. The Government have agreed that this policy objective was met some time ago, and in July reported that they were
“satisfied that the objective of ensuring that PSB services (as well as other TV services) are available throughout the UK has been met, and therefore section 73 is no longer required to achieve that objective.”
Subsection (3) states:
“The Secretary of State may by regulations make transitional, transitory or saving provision in connection with the coming into force of this section.”
Inasmuch as this generally means that the state will repeal section 73 when it sees fit, there are concerns among some public service broadcasters about understanding more clearly the Government’s intentions in relation to the timetable for that repeal. It would not be such a pressing issue were section 73 merely a harmless hangover and simply moribund. However, as we have heard, it is  more than a legal anachronism. It is a loophole through which taxpayers’ money is effectively funnelled into private businesses.
As we have heard, section 73 allows companies, such as TVCatchup and FilmOn, to live stream the content of public service broadcasters and other channels online without permission. In other words, the money the public pay through their licence fee pays for content that is then, in effect, given away for free to companies other than public service broadcasters. Those companies then monetise that public service broadcasting content by placing their own advertising around it.
Public service broadcasters are granted public funding and the other advantages we have talked about on the understanding that, in exchange, they are obliged to air content that works for the public’s benefit, rather than solely for the benefit of commercial interests. Section 73, in effect, allows TVCatchup and FilmOn to benefit from that same public funding, but those companies are clearly not held to the same standards. That amounts not only to the taxpayer unwittingly subsidising those businesses, it effectively directs funds away from PSBs and impacts on their ability to generate legitimate commercial revenues and to reinvest in the wider creative economy. Those live-streaming sites increase public service broadcaster reliance on public money and can fuel a vicious cycle of under-funding.
There is cross-party agreement that that is wrong and has to be put right, which is what the Government are seeking to do, but why do we have to rely on the Secretary of State to
“make transitional, transitory or saving provisions”
for repealing section 73? Is it not the case that broadcasters and the public deserve a more explicit timeframe, for the reasons I have laid out, so that this does not persist for any more time than is absolutely necessary. Not only is that fair, but it would provide more certainty for public service broadcasters and ensure that their investment in UK content is protected. Amendments 63 and 64, which the hon. Member for Selby and Ainsty tabled, would mean the repeal of section 73 immediately after Royal Assent, which offers one way forward. Our probing amendments offer another alternative if the Government need more time.
Public service broadcasters first wrote to the Intellectual Property Office to ask for the repeal of section 73 in 2008. In the meantime, TVCatchup has obviously made millions on the back of PSB content and the European Commission has launched infraction proceedings against the UK Government, on the basis that section 73 denies public service broadcasters their intellectual property rights for their content, which is guaranteed under the 2001 copyright directive. It would also be helpful to know from the Minister how he believes that infraction proceeding plays into our discussion on the amendment, the repeal of section 73, and what role it has to play if the Bill indeed repeals section 73. In short, will the Minister explain why he is not offering a clear timetable for repeal in the Bill?

Graham Jones: Okay. If the Minister has any proposals, can he provide some clarity? There does not appear to be any and there are many people out there raising questions about this.
The guidance seems to suggest there will be no material change to the relationship between Virgin and public sector broadcasters, despite the repeal of section 73 of the 1988 Act, so I look to the Minister for some advice on where we are with that. The Government expect the relationship to be neutral, with no cost transfer. Will the Minister to clarify that and confirm that he is not giving with one hand and taking away with another, but is in fact allowing public service broadcasters, such as the BBC licence fee payer, to receive payments for programmes produced by the BBC and the other public service broadcasters?
I want to pick up on the comments made by my hon. Friend the Member for Cardiff West about new clause 17 and perhaps add my own thoughts. The Government have taken their eye off the electronic programme guide. I would ask them to cast their eye back over it, as my hon. Friend suggested. Eleven clicks to S4C is just ridiculous, but we all see now—when people are reminded and it is pointed out to them, they say, “Oh yes, that is true.” Sky has put the electronic programme guide on the second tier, where there is Sky Box Office, Sky products and Sky everything else. We are seeing a diminution of the electronic programme guide and Ofcom unable to act in the public interest.
This is important because we are talking about a huge commercial space and, very quietly, Sky has clearly adapted that space for the benefit of the Sky platform. Other people are going to come along and we will see that contested. Companies such as Netflix in particular, which wants to enter the market in an assertive manner, want a big presence and are willing to spend a lot of money. Only in the last week, we have seen the amount of money that it has been suggested that Amazon is spending on Jeremy Clarkson’s latest foray into high-speed petrol-head motoring. Is it £160 million? There is a considerable amount of money in the marketplace from these other organisations and broadcast providers, and we are going to start to see the electronic programme guide being contested. In fact, it is already being contested, as Sky has already snatched the front page of the EPG on its platform.
I raise the following points with the Minister: Ofcom currently seems to be behind the curve on this issue and the guidance needs to be updated. We do not want to see public service broadcasters relegated in any way, shape or form. We do not want to see the design or architecture of the EPG manipulated so that maybe the BBC is number one but somehow Netflix catches people’s eye more prominently, with small letters for the first five and big graphics for some of the more commercial providers, such as Amazon. It is not just about having slots one to five; Ofcom should be mindful of the actual graphic presentation.
We do not want to see adverts creeping into the EPG either, so Ofcom needs to be absolutely clear in the regulations and guidelines about the type of space that the EPG is. The Government should be mindful not only of platform providers such as Sky, but of TV manufacturers, which will come over the hill and see the space. Someone will turn on their television and, after “LG—Life’s Good”, the first thing they will see is Netflix in the top corner, before they even click on an EPG. Technology is moving fast and the presentation of available services must have some framework and clearer guidance from Ofcom, because it is important that we do not end up in a world where public service broadcasters are relegated several clicks away from primacy—ITV needs the commercial return and Channel 4 also has a commercial element and needs the returns on advertising. That scenario should not be allowed, as it would affect the broadcasters as a business, along with their funding model and audience figures and therefore their advertisers and advertising revenue. We absolutely must be clear about what the graphical interface and its parameters should be—no adverts—and also about which broader platforms might seek to enter the market, such as TV manufacturers.
I welcome new clause 17. The Government have a lot of work to do on EPG guidance, because this legislation will go down for the next 10 years and in that time we will see incredible technological advancements, with companies wanting to capture that prime retail space. It is incumbent on the Government to step in, not just to make the situation better and more consistent for the viewer but to protect the public service broadcasters, as not only the licence fee payer but the advertiser on the commercial channels is affected. We have a national interest, therefore, in protecting that space. It is important that the Government revisit the EPG guidelines.
I am interested in hearing the Minister’s comments on my questions, particularly his clarification regarding Sky and the 2003 Act—I cannot find anything on that in the documentation—and also some reassurance on the EPG.

Matthew Hancock: Yes; I disagree with that analysis. Were that to become the problem, then we would need to act, because we support the listed events regime. However, we do not agree with the analysis that the  hon. Gentleman has put forward, and the reason is not only because of the measurement, on the existing, most restrictive definition of the 95%, but also because the definition of qualifying channels are those that are received without payment. There are many ways to receive a channel without payment, including online, so viewers moving from terrestrial TV to online does not necessarily—and in my view does not—remove them from that 95%.

Louise Haigh: I am very grateful to my hon. Friend the Member for Cardiff West for giving me some much-needed time off. I do not wish to disappoint the Minister by not being as brief as we were earlier, but I am not sorry, because part 5 really does require some further scrutiny. I think the Government know that it was not ready for Committee, not least because they have tabled several dozen amendments to it, but also because the codes of practice were not in good enough shape last week, according to the Information Commissioner, but were published just a few days later—some civil servants were clearly working overtime in the intervening period.
Clause 29 allows specified persons to share data for a specified objective. All national authorities will be enabled to lay regulations through secondary legislation for exactly what those data-sharing arrangements will be and what they will be for. In doing so, this clause lays out that they will be required to ensure the secure handling of information and to have regard to the codes of practice. Our amendments seek to strengthen this and to ensure that anyone involved in the sharing of data under these new powers is in full compliance with the codes of practice that were published last week.
I want to be very clear here: the Opposition do not oppose the Government’s sharing data among themselves to improve policy making and public services, but we must get this absolutely right and we are still a long way away from that, given the state of the current proposals. This is a key point: the public support the sharing of data to better enable the Government to provide services and to better enable the public to make use of those services, but public trust is fragile and has been rocked in recent years by varying degrees of incompetence in managing those data. Before Government Members point out that previous Labour Administrations were just as guilty, I fully accept that. This is not a political but rather an administrative point, which is why such proposals need to proceed with the utmost caution.
The Information Commissioner produced a very instructive report on this very point, which is extremely important to this part of the Bill, because it demonstrates the circumstances in which the public are happy for their data to be shared. The commonly recurring themes of what the public want regarding data could not be clearer: they want control over their data; they want to know what organisations are doing with those data; and they want to understand the different purposes and benefits of sharing their data. In that context, 63% of people agreed that they had lost control over the way in which their data are being used. This demonstrates that if there is to be sharing of data, which we support, there must be very clearly defined safeguards based on consent and transparency.
This part of the Bill gives considerable powers to Government to share data, but there are essentially no safeguards built in to ensure privacy, data protection, proportionality and a whole host of other principles that should sit alongside data sharing. It is vital that  these reforms go ahead and we are completely in favour of effective data sharing across Government to achieve public sector efficiencies, value for money, improved public sector services, take-up of benefits for the most vulnerable, such as the warm home discount or free school meals, and, most importantly, an improved experience for those who use public services.
The Minister for Digital and Culture claimed in an evidence session that the safeguards are in the Bill, but that is simply not the case. I would be grateful if the Parliamentary Secretary, Cabinet Office outlined what safeguards he thinks there are. As I, a relatively amateur observer, as well as those who are much more expert in the matter read it, the safeguards are to be added at a later date, written up by the Government and consulted on with people whom the Government deem fit to consult. Furthermore, there is absolutely nothing the public sector does that is not covered by the clause. I would be grateful, therefore, if the Minister gave give us a single example that that—I quote from the clause—for the purposes of
“the improvement of the well-being of individuals or households”,
or of improving
“the contribution made by them to society”,
would not deliver.
The codes that were published last week gave examples of objectives that would fall foul of those criteria, including those that are punitive. It is useful to see the examples, but it is of concern that the Bill does not explicitly exclude a punitive objective. The codes also include examples of objectives that are too general rather than too specific, and it would help if the Minister said exactly where the line about what is too specific is drawn. Improving levels of safety in a neighbourhood is given as an example of an objective that is too general, but would reducing the number of burglaries in a neighbourhood, for example, be specific enough?
The Government have stated that the proposed powers are to support:
“The delivery of better targeted and more efficient public services to citizens; The detection and prevention of fraud against the public sector and citizens to manage debt more effectively; and better research and official statistics to inform better decision-making.”
Of course, no one could disagree with any of that and the majority of respondents and, in fact, all the witnesses we saw two weeks ago, agreed with the purpose of the proposals. However, as the Government’s summary of responses to their consultation, “Better use of Data in Government” stated:
“The majority of responses were supportive of the proposals and the need to ensure appropriate safeguards, accountability and transparency are in place to build trust with citizens on the usage of their data.”
Crucially for the purposes of the debate, several respondents favoured such measures being in primary legislation as opposed to codes of practice.
Not only are the objectives not limited in the Bill, but the bodies that can share or receive data are not particularly limited. Subsection (3) states:
“A person specified in regulations under subsection (2) must be—
(a) a public authority, or
(b) a person providing services to a public authority.”
The Government’s consultation set out that they intend to proceed with proposals to enable non-public sector organisations that fulfil a public function on behalf of a public authority to be in scope of the powers. They said, in response to their consultation:
“We will strictly define the circumstances and purposes under which data sharing will be allowed, together with controls to protect the data within the Code of Practice. We will set out in the Code of Practice the need to identify any conflicts of interest that a non-public authority may have and factor that information in the decision-making”.
It seems pretty comforting that the Government will strictly define the circumstances and clearly identify conflicts of interest. It is right that they do that, given that the majority of the respondents supported the proposals,
“as long as appropriate strict controls are in place to safeguard citizen data against misuse.”
Again, I quote from the Government’s consultation.

Louise Haigh: I am grateful for that intervention. I am very aware of the Concentrix case and will come on to it shortly.
On the inclusion of non-public sector authorities and the Government’s intention to strictly define the circumstances and purposes under which data sharing with such organisations will be allowed, their statement of intent was clear. However, only one paragraph in the 101-page draft code mentions non-public sector organisations. That paragraph says that an assessment should be made of any conflicts of interest that the non-public authority may have but it does not give any examples of what those conflicts of interest might look like, so perhaps the Minister will elaborate on that when he responds. It states that a data-sharing agreement should identify whether any unintended risks are involved in disclosing data to the organisation—the risk regarding Concentrix was just highlighted—but the code of practice does not list any examples or set out how specified persons might go about ascertaining those. It also states that non-public authorities can only participate in a data-sharing agreement once their sponsoring public authority has assessed their systems and procedures to be appropriate for the secure handling of data, but it does not give any sense of what conditions they will be measured against or how officials should assess them.
That is not the kind of reassurance that was provided in the Government’s consultation response. Given that these are draft codes, I hope the Minister will take what I have said away and improve them, not least because of the recent scandal relating to the US multinational company, Concentrix, which was contracted by HMRC to investigate tax credit error and fraud. Concentrix  sent letters to individuals—mostly working single mothers across the country receiving tax credits—in what was essentially a large-scale phishing exercise. Not only did it get things catastrophically wrong by cancelling benefits that it should not have cancelled and leaving working mothers destitute over many weeks and months in some cases, but it also performed serious data breaches in sending multiple letters to the wrong individuals and disclosing personal information.
We have made it very clear that the Bill could have done with considerably more work before it was brought before the House. I understand that the civil servant who wrote part 5 has now left, or is in the verge of leaving, the employ of the civil service, so there is even more reason for us to work cross party and with expert organisations on improving the proposals.
As I have said, public trust in Government handling of data is not strong. Unfortunately, the public have not been given any reason to put their concerns to rest. The recent National Audit Office report, “Protecting information across government”, revealed the prevalence of weak controls on the protection and management of personal information in Government. Any continuation of the existing poor information management identified by the NAO, or the further weakening of cyber-security and data protection implied by part 5, is likely to have negative economic and social impacts.
As the Information Commissioner’s Office commented:
“It is important that any provisions that may increase data sharing inspire confidence in those who will be affected. Our research shows that the public are concerned about who their data is shared with and reflects concerns that they have lost control over how their information is used. Even apparently well-meaning sharing of data such as GP patient records for research purposes can arouse strong opinions.”
This is an important time to strengthen cyber-security and the minimisation and protection of data, which is why it is so important to get this part of the Bill right. A huge prize is on offer, but this has the potential of going the way of the care.data scandal. Frankly, it is astonishing that neither Ministers nor civil servants have learnt their lessons from that very regrettable episode, because there was absolutely nothing wrong with the principle of care.data either; it attempted to achieve exactly the kind of aims as the Bill’s reforms.
The idea was to create a database of medical records showing how individuals have been cared for across the GP and hospital sectors. Researchers believed that the information would be vital in helping them to develop new treatments as well as assessing the performance of NHS services. The records would be pseudo-anonymised, meaning that the identifiable data would be taken out. Indeed, they would just contain the patient’s age range, gender and the area they lived in. However, researchers could apply for the safeguards to be lifted in exceptional circumstances, such as during an epidemic. That would have needed the Health Secretary’s permission.
The concept had the backing of almost the entire medical community, many charities and some of the most influential patient groups. The UK’s leading doctors told us how access to so many NHS records would help them to understand the causes of disease, quickly spot the side effects of new drugs and detect outbreaks of infectious diseases.
The problem with care.data was that the advantages and the principles upon which the data would be shared were simply not communicated by the Government or  by NHS England, and so it attracted the criticism of bodies as disparate as the British Medical Association, the privacy campaign group Big Brother Watch and the Association of Medical Research Charities. Such was the botched handling of the publicity surrounding care.data that, by April 2014, the launch was aborted. However, it emerged the following June that nearly 1 million people who had opted out of the database were still having their confidential medical data shared with third parties, because the Health and Social Care Information Centre had not processed their requests.
A review by the National Data Guardian, Dame Fiona Caldicott, found that care.data had caused the NHS to lose the trust of patients, and recommended a rethink. That prompted the then Life Sciences Minister, the hon. Member for Mid Norfolk (George Freeman), to announce that the scheme was being scrapped altogether, even though £7.5 million had already been spent on constructing a database, printing leaflets, setting up a patient information helpline and researching public attitudes to data sharing.
The Caldicott review established a set of Caldicott principles, with the primary one being that the public as well as the professionals should be involved in data-sharing arrangements. Dame Fiona Caldicott proposed a simple model that gives people the option to opt out of any of their information being used for purposes beyond care. She said:
“We made it slightly more complicated by saying it was worth putting to the public the choice of having two separate groups of information to opt out of – [those being] research and information used for running the health service. If you put all of the possible uses of data currently in the system together and asked people to opt in or out of that, it’s actually asking them to make a choice about a very big collection of information. [People] may want to have the possibility of saying, ‘Yes, I’d like my data to be used for the possibility of research, but I don’t want it to be used for running the health service’.”
She also made it very clear that the benefits of data sharing and what it means need to be communicated clearly to the public, as there is a lot of confusion around how the data are shared.
Absolutely nothing has changed since that disaster and the subsequent review, so it is concerning not to see those basic principles included in the Bill. I am interested to hear the Minister’s response to those principles laid out by the National Data Guardian. The public need to be able to trust organisations that handle their data and they need to retain control over those data. Both those things are essential to build confidence and encourage participation in the digital economy. The principles have been debated over the past several years at the European level, and we should be told here and now—today—whether the Government intend to implement the EU’s General Data Protection Regulation. If they are, why is the Bill not compliant with it?
The new EU GDPR and the law enforcement directive were adopted in May and will take effect from May 2018. The GDPR includes stronger provisions on: processing only the minimum data needed; consent; requirements on clear privacy notices; explicit requirements for data protection by design and by default; and on carrying out data protection impact assessments.
Although the Government’s arrangements for exiting the European Union have yet to be decided, it seems likely that the GDPR will take effect before the UK  leaves, so the Government will have to introduce national level derogations prior to its implementation. If that is the case, there will have to be a thorough consideration of the impact of the new legal framework on all aspects of the Bill affecting data sharing, including implementation arrangements. Indeed, as the Information Commissioner said when giving evidence to the Committee two weeks ago:
“There may be some challenges between the provisions and the GDPR… There would ?be a need to carefully review the provisions of this Bill against the GDPR to ensure that individuals could have the right to be forgotten, for example, so that they could ask for the deletion of certain types of data, as long as that was not integral to a service.”––[Official Report, Digital Economy Public Bill Committee, 13 October 2016; c. 112-13, Q256.]
The GDPR states that data are lawfully processed only if consent has been given by the individual, which is completely lacking in this section of the Bill. It also gives data subjects that right to withdraw consent at any time:
“It shall be as easy to withdraw as to give consent.”
Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased or no longer used for processing.
Part 5 makes little mention of security or privacy, or how such data sharing will comply with obligations around informed consent and the ability to revoke consent. It is not explained, for example, how it will be possible for a citizen to revoke consent if data have been copied and passed on to third parties, particularly if it was done without their knowledge. Once digital data are held by third parties and no longer under the control of their original owner, it will be difficult to know who has a copy and equally difficult for a citizen to revoke consent to the access and use of such data.
In fact, the Bill makes no mention of consent at all, and the codes are clearly not designed to support a consent-based model. If that is not the case, we would be grateful if the Minister confirmed on exactly what principles the codes were designed and what principles should always be adhered to, in his opinion, when sharing data. In the consultation, the Government said that the following principles should apply:
“no building of new, large, and permanent databases, or collecting more data on citizens; no indiscriminate sharing of data within Government; no amending or weakening of the Data Protection Act; and safeguards that apply to a public authority’s data (such as HMRC) apply to the data once it is disclosed to another public authority (i.e. restrictions on further disclosure and sanctions for unlawful disclosure).”
If the Government hold those principles so dear, why were they not included in the Bill? Where are the principles for transparency, security, necessity, data minimisation and proportionality?
Further issues with the lack of safeguards in primary legislation include the fact that privacy must only be considered; it is not a right. There is no reference anywhere to the role of data protection officers, who are critical for public bodies; that is surely an oversight given the requirements on data protection officers in the general data protection regulation. There is also no mention at all of transparency, which is particularly conspicuous by its absence. The Bill completely lacks any requirement for transparency about what data flows  already exist and what new ones will be established. Care.data was only an exception insofar as it hit the public domain first.
We will table a new clause later in the Bill that will make transparency mandatory in a public register of data sharing agreements. Full transparency helps build trust in the process, so the details do not matter. If there is no transparency, there can be no trust in the process. Transparency must be absolutely central to the process, alongside privacy and security. We would argue that it is the most important principle on which the proposals should be built.
The Government seemed to agree during the public consultation and design of their proposals, but I am afraid that we simply do not trust the Government’s current data practices, if the concerns raised by ex-Government employees tasked with improving those practices are anything to go by. Last summer, the Government Digital Service experienced a mass walkout over the Cabinet Office’s failure to get to grips with Government digitisation. We heard from the former head of that service during an evidence session about his deep concerns about the proposals. Those concerns were expressed by an individual whose job it was to promote data sharing around Government to improve public service delivery.
We want the Government to produce a register on data sharing arrangements. We are pleased to see audits mentioned in the codes of practice, but I do not believe that they would actually be possible, based on the current practices that abound across Government. A named day question was asked of the Cabinet Office last week about whether it had an audit of the data sharing arrangements across Government. Although the deadline for the answer to that question was yesterday, we have yet to hear whether the Government even know who is sharing what across Government, how they are doing it, why they are doing it and how the data are being secured and protected—never mind what ISDN lines run to each Department, enabling other agencies, other organisations and perhaps even other Governments to look up data held by Government.
We will come back to those points during later debates, but I hope that the Minister can assure us, in relation to clause 29, that he is getting a grip on the issue, particularly given the significant new powers that the clause imparts to the Government. The Government consultation said:
“Transparency was a key recurring theme raised by citizens and representatives from across the range of sectors. The view expressed was that trust could be built by ensuring that citizens could understand what data was being accessed, how it was being used and for what purposes.”
However, the public have not yet even seen the draft codes of practice, as they have not been made available on the parliamentary or Government websites. It puts the more than two-year consultation process to shame that we cannot even invite debate from the public on this vital part of the Bill. Ministers claim that the legislation resulted from the open policy-making process, but we heard from several witnesses that that was not actually the case. Many were surprised, to say the least, by the proposals published in the Bill, as they bore no relation to the discussions or proposals put before them as part of that process. One organisation’s written evidence is incredibly damning. It states:
“The Cabinet Office misled everyone involved, wasted a vast amount of time and goodwill, and went ahead with doing what they were going to do anyway. At the very last minute, they vastly  expanded the scope of the work, with the only material provided in non-aural form being the presentation title and the department of the civil servant presenting. The process ignored the hard problems, and did whatever the Cabinet Office wished to do in the first place.”

Louise Haigh: She was referring to the codes being improved since she gave evidence to the Committee. Later in that letter, which I think the Minister has in his hand, she goes on to say that she stands by the other evidence, both the oral evidence that she gave the Committee and her written evidence, which included her view that privacy impact notices should be in the Bill.

Chris Skidmore: She also mentions that, on privacy impact assessments and with reference to her privacy notices code of practice:
“This will build in transparency at two levels:—”
in the current situation—
“greater accountability through the publication of PIAs and timely and clear information for individuals so they can understand what is going to happen to their data.”
The Government remain committed to working with the Information Commissioner’s Office. When it came to the evidence sessions, I was aware of the fact that we had a long process discussion around the codes of practice and when their publication dates were due. It was very important for me, as a Minister, to ensure that we had the confidence of the ICO going forward and that we could publish those draft codes. We will continue those conversations.
When looking at putting the codes or privacy impact assessments in the Bill, it comes back to the key point of being able to continue that conversation when it comes to a transformational technology that we may not even know exists at the moment and that may radically change our ability to look at how we data share. At the moment we are looking at specified portals through which we will data share for the benefit of the most vulnerable in society, but there may be a new technology that allows the Government to expand our scope. If that new technology comes into being and we write the codes and privacy impact assessments into the Bill, we will have the chilling effect of ossifying the practice; it will impact on our ability to adapt and to be able to look at new technology, to move fast and to realise the opportunities that we may have to data share for the benefit of the most vulnerable in society.

Louise Haigh: The amendments would restrict the onward disclosure of data. As we know, the public value their data, and the amendments would place a higher test on onward disclosure.
It is important that data disclosures of information as sensitive as we have been discussing are appropriately considered; they must not simply be nodded through. Introducing a principle of necessity would mean that organisations have to make a case, rather than merely tick a box. Crucially, that would help to make the Bill more consistent with existing data protection. As the Information Commissioner’s data sharing code of practice clearly states:
“You should employ ‘need to know’ principles, meaning that other organisations should only have access to your data if they need it, and that only relevant staff within those organisations should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties.”
The ICO’s data sharing code of practice could not be any clearer. It is designed to protect an individual’s data and to prevent any onward disclosure to the organisations that have access to those data.
The Data Protection Act is also framed in terms of necessity. The ICO’s code of practice states:
“The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract)…The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident…The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.”
The amendments, which would insert the word “necessary”, ask a simple question: why are the exemptions in the Data Protection Act set aside when there is disclosure of confidential personal data for certain public interest purposes? That is already clearly well established. For example, in the context of policing, section 29(3) of the Data Protection Act states that:
“Personal data are exempt from the non-disclosure provisions in any case in which”
the disclosure is for any of the purposes of a criminal investigation, and failure to disclose
“would be likely to prejudice”
that investigation. One element of the application of that exemption from the non-disclosure provisions has the effect of excluding the lawfulness of the disclosure. It therefore protects the disclosing body from action for breach of confidence.
To disclose under the Data Protection Act, there has to be prejudice to an investigation before a disclosure of personal data can occur. Clause 33(2)(e) refers to disclosures
“made for the purposes of a criminal investigation”,
with no test of prejudice. The advantage of the amendments is that they would bring in the word “necessary”. That minor shift would at least ensure that the disclosure of personal data is proportionate.
Similarly, section 35(2) of the Data Protection Act permits disclosure of personal data for legal proceedings without risk of the disclosing party being subject to an action for breach of confidence if the disclosure of personal data
“is necessary… for the purpose of, or in connection with, any legal proceeding”.
In contrast, clause 33(2)(f) does not include the word “necessary” and reduces the threshold of disclosure to one that could facilitate speculative disclosures that could not be made under the Data Protection Act. We would be grateful if the Minister can explain why the necessity is removed and why the DPA provisions are not sufficient when personal data are disclosed, but only when it is necessary in connection with any legal proceedings. The amendments would align disclosure with the provisions of the DPA.
The changes to clause 33(2)(h)(i) to (iv) are proposed to make it clear why the DPA is insufficient. Schedule 2(4) permits disclosure of personal data if it
“is necessary in order to protect the vital interests of the data subject.”
Schedule 2(5)(b) allows disclosure that is necessary
“for the exercise of any functions conferred on any person by or under any enactment”.
Can the Minister describe what disclosures of personal data do not fall within those two provisions? The amendments insert the word “necessary” and simply align the disclosure with the Data Protection Act.